A look at the (now patched) security of [Kim Dotcom’s] MEGA cloud storage service

MEGA is a new, encrypted cloud storage system founded by [Kim Dotcom] of MegaUpload fame. They’re selling privacy in that the company won’t have the means to decrypt the data stored by users of its service. As with any software project, their developers are rapidly making improvements to the user interface and secure underpinnings. But it’s fun when we get some insight about possible security problems. It sounds like the issue [Marcan] wrote about has been fixed, but we still had a great time reading his post.

The article focuses on the hashes that the website uses to validate data being sucked in from non-SSL sources using some JavaScript. Those insecure sources are a CDN so this type of verification is necessary to make sure that the third-party network hasn’t been compromised as part of an attack on the MEGA site. The particular security issue came when the hashes were generated using CBC-MAC. [Marcan] asserts that this protocol is not adequate for the application it’s being used for and goes on to post a proof-of-concept on how the messages can be forged while retaining a hash that will validate as authentic.

The simple fact is that if you really care about your data security on some one elses server, you have to encrypt it your self. Also use mutiple layers of encryption with different long pasphrases, long is better than good! You should also encrypt everyting you can, important or not. That way any attacker has to spend time without knowing what they are going to get.

When Mega matures and allows you WebDAV or equivalent functionality, the only thing that will matter is the free 50GB. They could even drop the encryption, unless they need it to paper their arses with.

The two big questions are whether that is a viable business model, and whether NZ’s small number of international Internet links will be able to cope, assuming the Kiwis can stay away from their beer’n’barbies long enough to notice.

But yeah. Basically Kim wants to run a giant piracy site, without being held legally liable. Having everything properly encrypted should cover that.

File sharing’s how he made his money, it’s what he’s good at and all he needs to do.

File sharing sites are very useful. I just worry that this is setting up a fight between the little-known right of people to use encryption, vs the enormous Hollywood $$$ that inevitably get thrown at these things. Like Sony’s rootkit proved, media barons are not honorable or ethical people, it’s strictly and massively about enormous sums of money.

Putting that against the public’s rights and interests, will be a difficult fight. The media industry like to steamroller thru cases like this, then salt the earth afterwards, just in case.

The public don’t really know or care about encryption. And will easily believe it’s just something for hackers and paedophiles. Especially if the media tell them that.

I worry the laws about all this kind of stuff are being made too quickly and without enough insight. All of these laws will become a hundred times more important in years to come. Governments are allowed to change their minds on mistakes. They just tend not to ever do it.

Try setting up an account again, now you’ll receive the validation email instantly. I almost went nuts for two days because of that, after having set up an account with a gmail address in less than 5 minutes.